Contents

Password Aging

/etc/login.defs for new accounts.

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.

Note that PASS_MIN_LEN in /etc/login.defs has no effect. Minimum password length is controlled by the pam_cracklib module. Note that if minlen= is not specified in pam_cracklib, I believe the default minimum password length is 6 characters.

/usr/bin/chage for existing accounts.

Existing account example

User hutchib was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following:

A minimum of 7 days between password changes.

Password expiration after 90 days.

Begin warning about password expiration 14 days in advance.

# /usr/bin/chage -m 7 -M 90 -W 14 hutchib

Note that chage does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately.

What happens when your password expires?

If the account is inactive (see chage -I and the 7th field in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.

If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted and you must immediately change your password. After changing your password, the connection is closed and you must login again.